github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2026-01-13 19:36:22 +00:00
Code Issues Projects Releases Wiki Activity

kube-controller-manager: disable authn/z on insecure port

Browse Source 
This is the old behaviour and we did not intent to change it due to enabled authn/z in general.
As the kube-apiserver this sets the "system:unsecured" user info.
This commit is contained in:
Dr. Stefan Schimanski
2018-08-30 19:20:19 +02:00
parent e209b643a7
commit 8aa0eefce8
7 changed files with 32 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/kubeapiserver/server/BUILD
View File

@@ -10,7 +10,6 @@ go_library(
srcs = ["insecure_handler.go"],
importpath = "k8s.io/kubernetes/pkg/kubeapiserver/server",
deps = [
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/endpoints/filters:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/server/filters:go_default_library",

15
pkg/kubeapiserver/server/insecure_handler.go
View File

@@ -19,7 +19,6 @@ package server
import (
"net/http"
"k8s.io/apiserver/pkg/authentication/user"
genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
"k8s.io/apiserver/pkg/server"
genericfilters "k8s.io/apiserver/pkg/server/filters"
@@ -32,7 +31,7 @@ import (
func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.Handler {
handler := apiHandler
handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc)
handler = genericapifilters.WithAuthentication(handler, insecureSuperuser{}, nil)
handler = genericapifilters.WithAuthentication(handler, server.InsecureSuperuser{}, nil)
handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true")
handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.LongRunningFunc, c.RequestTimeout)
handler = genericfilters.WithMaxInFlightLimit(handler, c.MaxRequestsInFlight, c.MaxMutatingRequestsInFlight, c.LongRunningFunc)
@@ -42,15 +41,3 @@ func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.H
return handler
}
// insecureSuperuser implements authenticator.Request to always return a superuser.
// This is functionally equivalent to skipping authentication and authorization,
// but allows apiserver code to stop special-casing a nil user to skip authorization checks.
type insecureSuperuser struct{}
func (insecureSuperuser) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
return &user.DefaultInfo{
Name: "system:unsecured",
Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated},
}, true, nil
}